DNS Filtering

Definition

DNS filtering implements access control by examining the domain names in DNS request packets, allowing or denying user access to certain websites and regulating online behavior. DNS filtering categorizes domain names using DNS blacklists/whitelists and DNS categories to block access to unauthorized domains and permit access to authorized ones.

Why DNS Filtering Is Important?

In computer networks, devices connect using IP addresses, but these addresses are often hard to remember. To simplify this, a system was designed to match IP addresses with human-readable hostnames, known as the Domain Name System (DNS). DNS facilitates the conversion and querying between IP addresses and domain names, allowing users to access devices using easily remembered names.

DNS employs a hierarchical naming system, assigning meaningful names to devices. DNS servers in the network bind IP addresses with corresponding domain names, so users can access devices using simple domain names instead of complex IP addresses. For instance, when a user types a website’s domain name into a browser, the browser sends a request to a DNS server, which then returns the IP address associated with that domain name, enabling the user to access the desired website.

With the rapid growth of the internet and its widespread use across various fields, information retrieval, sharing, and dissemination have become extremely convenient. However, this convenience introduces new challenges and threats:

1. Employees might visit non-work-related websites during work hours, reducing productivity.

2. Accessing illegal or malicious websites can expose a company’s confidential information and potentially lead to threats from worms, viruses, or trojans.

3. Network congestion might prevent employees from accessing essential work-related websites (like the company homepage or search engines), further reducing efficiency.

This is where DNS filtering becomes crucial. DNS filtering not only prevents employees from accessing non-work-related websites but also serves as an important network security measure. Specifically, it can block access to phishing sites, ransomware sites, cryptojacking sites, and other malicious websites, thereby preventing serious consequences like information leaks and financial losses.

How DNS Filtering Functions?

In an enterprise network, products that support DNS filtering, such as firewalls, are typically deployed at the network's perimeter. When an employee initiates a request to access a website (DNS request), the DNS filtering function checks the domain name in the request to determine whether it is legitimate and then decides to permit, alert, or block the access request accordingly. Specifically, the function:

• Allows employees to access legitimate websites.

• Blocks and generates alerts for requests to access illegitimate domain names.

DNS filtering falls into two modes: DNS blacklist/whitelist-based filtering and DNS category-based filtering. Each of these DNS filtering modes has different levels of priority.

DNS Filtering Modes

1. DNS Blacklist/Whitelist-Based DNS Filtering

What It Is: Think of the DNS blacklist and whitelist as a special kind of user-defined category but with fixed, unchangeable control rules.

How It Works: This method is typically used to filter websites with straightforward and stable domain names. The blacklist is a list of domain names that users are not allowed to access, while the whitelist is a list of domain names that users are allowed to access. When a device processes a DNS request, it checks the domain name against these lists:

• If the domain is on the whitelist, the device permits the request.

• If the domain is on the blacklist, the device blocks the request.

2. DNS Category-Based DNS Filtering

Main Purpose: This is the primary mode for managing DNS filtering. It allows administrators to control which domain names employees can or cannot access based on different DNS categories.

Types of Categories:

• Predefined DNS Categories: These categories include a vast array of mainstream websites and domain names. They are preloaded on DNS filtering-capable devices for administrators to leverage. These categories can be updated dynamically through a remote query service. For example, Huawei's remote query server maintains over 500 million categorized domain names. If a new domain name is not already categorized, the server periodically simulates access to the domain to determine its content and then updates the category information accordingly.

• User-Defined DNS Categories: While predefined categories cover most mainstream websites, some new sites might not be included. Additionally, enterprises might have their own specific DNS categorization policies. In such cases, administrators can create custom categories as needed.

By using these DNS categories, administrators can have fine-grained control over which websites employees are allowed to visit, ensuring security and compliance with company policies.

DNS Filtering vs. URL Filtering

Both DNS filtering and URL filtering are types of web filtering, but they differ in their levels of control and implementation methods.

In summary, DNS filtering manages access at an earlier stage compared to URL filtering, effectively reducing the overall HTTP traffic across the network. On the other hand, URL filtering provides a more detailed control over user access to network resources.